Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.1.9 User Guide
    7.1.9
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    TABLE OF CONTENTS

    TABLE OF CONTENTS

    FortiSIEM User Guide
    Overview
    FortiSIEM Releases
    What is New in 7.1.9
    What's New in 7.1.8
    What's New in 7.1.7
    What's New in 7.1.6
    What's New in 7.1.5
    What's New in 7.1.4
    What's New in 7.1.3
    What's New in 7.1.2
    What's New in 7.1.1
    What's New in 7.1.0
    What's New in 7.0.4
    What's New in 7.0.3
    What's New in 7.0.2
    What's New in 7.0.1
    What's New in 7.0.0
    Windows Agent Releases
    Content Pack Updates
    Key Concepts
    Getting Started
    Advanced Operations
    CMDB
    Incidents and Cases
    Device Support
    Rules, Reports, and Dashboards
    Advanced Health System
    Managing FortiSIEM
    Administration
    Setup
    Configuring Storage
    Configuring ClickHouse Based Deployments
    Configuring EventDB Based Deployment
    Configuring Elasticsearch Based Deployment
    Changing Event Database
    Changing NFS Server IP
    Setting Organizations and Collectors
    Setting Collectors (Enterprise)
    Setting Credentials
    Discovering Devices
    Editing Event Pulling
    Editing Performance Monitors
    Configuring Synthetic Transaction Monitoring
    Configuring Maintenance Calendars
    Configuring Windows Agent
    Configuring Linux Agent
    Configuring FortiSIEM Manager
    Device Support
    Working with Devices and Applications
    Working with Event Attributes
    Working with Event Types
    Working with Parsers
    Working with Custom Performance Monitors
    Working with Custom Properties
    Creating SNMP System Object Identifiers for devices
    Analyzing Custom Log Files
    Configuring Local Syslog File Ingestion from a Directory
    Configuring Local PCAP File Ingestion from a Directory
    Health
    Viewing Cloud Health
    Viewing Collector Health
    Viewing Agent Health
    Viewing Elasticsearch Health
    Viewing Replication Health
    License
    Viewing License
    Viewing License Usage
    Working with Nodes
    Configuring Supervisor Cluster
    Configuring Disaster Recovery
    Content Update
    Settings
    System Settings
    Analytics Settings
    UEBA Settings
    Cloud Machine Learning
    Discovery Settings
    Monitoring Settings
    Event Handling Settings
    Database Settings
    Creating Retention Policy
    Viewing Online Event Data Usage
    Viewing Archive Event Data
    Event Log Integrity
    ClickHouse Configuration
    Role Settings
    Mapping AD Groups to Roles
    Compliance Settings
    Compliance PCI Settings
    General Settings
    External Authentication Settings
    Incident Notification Settings
    Define Notification Action - Email/SMS/Webhook
    Configuring External Integrations
    ServiceNow Security Operations (SecOps) Integration
    ServiceNow SOAP Integration Requirements
    Escalation Settings
    Configuring SSL Socket Certificates
    Managing CMDB
    Devices
    Viewing Device Information
    Working with Device Groups
    Creating and Editing Devices
    Performing Operations on Devices
    Associating Parsers to a Device
    Searching for Devices
    Applications
    Viewing Application Information
    Editing Applications
    Working with Application Groups
    Users
    Adding Users
    Editing Users
    Performing Operations on Users
    Working with User Groups
    Business Services
    Viewing Business Services
    Creating Business Services
    Working with Business Service Groups
    CMDB Reports
    Creating CMDB Reports
    Scheduling a CMDB Report
    Running a CMDB Report
    Adding CMDB Report to Dashboard
    Managing Resources
    Reports
    Viewing System Reports
    Running System Reports
    Creating New Reports
    Working With Report Templates
    Scheduling Reports
    Importing and Exporting Reports
    Importing and Exporting Report Definitions
    Rules
    Viewing Rules
    Creating Rules
    Activating and Deactivating a Rule
    Testing a Rule
    Exporting and Importing a Rule Definitions
    Networks
    Adding a Network
    Modifying a Network
    Deleting a Network
    Watch Lists
    System-defined Watch list
    Creating a Watch List
    Modifying a Watch List
    Using a Watch List
    Exporting and Importing Watch Lists
    Protocols
    Adding a Protocol
    Modifying a Protocol
    Deleting a Protocol
    Event Types
    Adding an Event Type
    Modifying an Event Type
    Deleting an Event Type
    Working with AlienVault OTX
    Working with Dragos IOCs
    Working with FortiGuard IOCs
    Working with Malware Patrol
    Working with ThreatConnect
    Malware Domains
    Adding a Malware Domain
    Modifying a Malware Domain
    Deleting a Malware Domain
    Importing Malware Domains
    Viewing Malware Domains
    Working with Custom Threat Feeds that use HTTPS Connectivity
    Malware IPs
    Adding a Malware IP
    Modifying a Malware IP
    Deleting a Malware IP
    Importing Malware IPs
    Viewing Malware IPs
    Malware URLs
    Adding a Malware URL
    Modifying a Malware URL
    Deleting a Malware URL
    Importing Malware URLs
    Viewing Malware URLs
    Malware Processes
    Creating a Malware Process Group
    Adding a Malware Process
    Modifying a Malware Process
    Deleting a Malware Process
    Importing Malware Processes
    Viewing Malware Processes
    Country Groups
    Creating a Country Group
    Adding a Country Group
    Modifying a Country Group
    Deleting a Country Group
    Changing the Home Country
    Malware Hash
    Adding a Malware Hash
    Modifying a Malware Hash
    Importing/Updating User-defined Malware Hash
    Viewing Malware Hash
    Default Password
    Adding a Default Password
    Modifying a Default Password
    Importing and Exporting a Default Password
    Anonymity Network
    Adding Anonymity Networks
    Modifying Anonymity Networks
    Updating Anonymity Networks
    User Agents
    Adding User Agents
    Modifying User Agents
    Importing and Exporting User Agents
    Remediations
    Adding Remediations
    Modifying Remediations
    Deleting Remediations
    Lookup Tables
    Adding a Lookup Table
    Deleting a Lookup Table
    Working with Lookup Table Data
    Playbooks
    Viewing Playbooks
    Updating Playbooks
    Connectors
    Viewing Connectors
    Updating Connectors
    Machine Learning Jobs
    Viewing Machine Learning Jobs
    Editing a Machine Learning Job
    Deleting a Machine Learning Job
    Osquery
    Viewing osquery Templates
    Creating osquery Templates
    Working with Cases
    Creating a Ticket
    Editing a Ticket
    Managing Cases
    Working with Incidents
    Overview View
    List View
    Risk View
    Explorer View
    MITRE ATT&CK View
    UEBA View
    Investigating Incidents
    Automated Incident Resolution Recommendation
    Lookups Via External Websites
    CVE-Based IPS False Positive Analysis
    Remediating an Incident using a Script
    Executing a Playbook on an Incident
    Running a Connector on an Incident
    Troubleshooting Incident Trigger
    Working with Analytics Search
    Running a Built-in Search
    Understanding Search Components
    New Query Functions
    Viewing Historical Search Results
    Viewing Real-time Search Result
    Using Nested Queries
    Searches Using Pre-computed Results
    Saving Search Results
    Viewing Saved Search Results, Loading Reports and Shortcuts
    Exporting Search Results
    Emailing Search Results
    Creating a Rule from Search
    Copying Filter and Time Range Tab Information
    Executing a Playbook
    Running a Connector
    Machine Learning
    Overview
    Anomaly Detection
    Classification
    Clustering
    Forecasting
    Regression
    Working with Dashboards
    General Operations
    Widget Dashboard
    Summary Dashboard
    Business Service Dashboard
    Identity and Location Dashboard
    Interface Usage Dashboard
    PCI Logging Status Dashboard
    Managing Tasks
    Fortinet Advisor
    FortiSIEM Manager
    FortiSIEM Manager Incidents
    FortiSIEM Manager Incidents Overview View
    FortiSIEM Manager Incidents - List View
    FortiSIEM Manager CMDB Users
    FortiSIEM Manager CMDB Adding Users
    FortiSIEM Manager - Editing User Information
    FortiSIEM Manager Resources
    FortiSIEM Manager Resources Rules
    FortiSIEM Manager Resources Connectors
    FortiSIEM Manager Resources Playbooks
    FortiSIEM Manager Resources - Event Types
    FortiSIEM Manager Admin
    FortiSIEM Manager Setup
    FortiSIEM Manager Health
    FortiSIEM Manager Cloud Health
    FortiSIEM Manager Collector Health
    FortiSIEM Manager License
    FortiSIEM Manager Content Update
    Appendix
    Administrative Tools and Information
    Adding Network Interfaces
    Backing Up and Restoring Databases
    Creating and Restoring ESX Snapshots
    Exporting Events to Files
    Import Tools
    Increasing Collector Event Buffer Size
    Listing Event Attributes seen by Elasticsearch
    Managing Events in EventDB
    Managing FortiSIEM Operations
    ClickHouse Usage Notes
    ClickHouse Index Design
    ClickHouse Operational Overview
    ClickHouse Query Optimization Guidelines
    Handling ClickHouse Node IP Change
    ClickHouse Backup and Restore Steps
    Deleting Organization Data
    Rebalancing Shards
    Advanced Operations
    Migrating ClickHouse Events from FortiSIEM 6.5.0 to 6.6.0 or Later
    Post-7.1.1-upgrade ClickHouse IP Index Rebuilding
    Reference
    Configuration Notes
    Automated CMDB Disk Space Management
    Component Communication and Network Port Usage
    Configuring FortiSIEM Application Server for Proxy Connectivity
    Editing phoenix_config.txt File
    FortiSIEM Deployment Scenarios
    FortiSIEM OS Updates and Internet Connectivity
    Tuning PostgreSQL Configuration Parameters
    Elasticsearch Usage Notes
    Configuring Elasticsearch Buffer
    Configuring Elasticsearch Timeout
    Dynamic Scripting Limits
    Elasticsearch Feature Compatibility
    Merging Small Elasticsearch Indices into a Big Index
    Differences in Analytics Semantics between EventDB and Elasticsearch
    Elasticsearch Known Issues
    Examples of Custom Performance Monitors
    Custom JDBC Performance Monitor for a Custom Table
    Custom SNMP Monitor for D-Link Interface Network Statistics
    Custom JMX Monitor for IBM Websphere
    Custom SNMP Monitor for D-Link HostName and SysUpTime
    Custom WMI Monitor for Windows Domain and Physical Registry
    FortiEMS Endpoint Tagging
    GUI Notes
    Flash to HTML5 GUI Mapping
    FortiSIEM Charts and Maps
    FortiSOAR Integration Notes
    Configuring FortiSOAR for FortiSIEM Integration
    Writing FortiSIEM Compatible FortiSOAR Playbooks
    Functions in Analytics
    Aggregate Functions
    CMDB Lookup Function
    Conversion Functions
    Date Conversion Functions
    Evaluate and Set Function
    Extraction Function
    Lookup Table Functions
    String Manipulation Functions
    Time Window Functions
    Knowledge Base
    FortiSIEM Event Attribute to CEF Key Mapping
    Event Categories and Handling
    Public Domain Built-in Rules
    License Enforcement
    Parser Specification
    General Parsing Patterns
    Event Format Recognizer Specification
    Parsing Instructions
    Setting Event Attributes
    When Construct
    Choose Construct
    Switch Construct
    Built-in Patterns
    Built-in Functions
    Collect and Set Functions
    Compute Functions
    Conversions Functions
    Extraction Functions
    String Functions
    Python Threat Feed Framework
    UEBA Information
    Comparing UEBA Sources
    UEBA based on Log
    UEBA Sample Logs
    Previous
    Next

    TABLE OF CONTENTS

    TABLE OF CONTENTS

    FortiSIEM User Guide
    Overview
    FortiSIEM Releases
    What is New in 7.1.9
    What's New in 7.1.8
    What's New in 7.1.7
    What's New in 7.1.6
    What's New in 7.1.5
    What's New in 7.1.4
    What's New in 7.1.3
    What's New in 7.1.2
    What's New in 7.1.1
    What's New in 7.1.0
    What's New in 7.0.4
    What's New in 7.0.3
    What's New in 7.0.2
    What's New in 7.0.1
    What's New in 7.0.0
    Windows Agent Releases
    Content Pack Updates
    Key Concepts
    Getting Started
    Advanced Operations
    CMDB
    Incidents and Cases
    Device Support
    Rules, Reports, and Dashboards
    Advanced Health System
    Managing FortiSIEM
    Administration
    Setup
    Configuring Storage
    Configuring ClickHouse Based Deployments
    Configuring EventDB Based Deployment
    Configuring Elasticsearch Based Deployment
    Changing Event Database
    Changing NFS Server IP
    Setting Organizations and Collectors
    Setting Collectors (Enterprise)
    Setting Credentials
    Discovering Devices
    Editing Event Pulling
    Editing Performance Monitors
    Configuring Synthetic Transaction Monitoring
    Configuring Maintenance Calendars
    Configuring Windows Agent
    Configuring Linux Agent
    Configuring FortiSIEM Manager
    Device Support
    Working with Devices and Applications
    Working with Event Attributes
    Working with Event Types
    Working with Parsers
    Working with Custom Performance Monitors
    Working with Custom Properties
    Creating SNMP System Object Identifiers for devices
    Analyzing Custom Log Files
    Configuring Local Syslog File Ingestion from a Directory
    Configuring Local PCAP File Ingestion from a Directory
    Health
    Viewing Cloud Health
    Viewing Collector Health
    Viewing Agent Health
    Viewing Elasticsearch Health
    Viewing Replication Health
    License
    Viewing License
    Viewing License Usage
    Working with Nodes
    Configuring Supervisor Cluster
    Configuring Disaster Recovery
    Content Update
    Settings
    System Settings
    Analytics Settings
    UEBA Settings
    Cloud Machine Learning
    Discovery Settings
    Monitoring Settings
    Event Handling Settings
    Database Settings
    Creating Retention Policy
    Viewing Online Event Data Usage
    Viewing Archive Event Data
    Event Log Integrity
    ClickHouse Configuration
    Role Settings
    Mapping AD Groups to Roles
    Compliance Settings
    Compliance PCI Settings
    General Settings
    External Authentication Settings
    Incident Notification Settings
    Define Notification Action - Email/SMS/Webhook
    Configuring External Integrations
    ServiceNow Security Operations (SecOps) Integration
    ServiceNow SOAP Integration Requirements
    Escalation Settings
    Configuring SSL Socket Certificates
    Managing CMDB
    Devices
    Viewing Device Information
    Working with Device Groups
    Creating and Editing Devices
    Performing Operations on Devices
    Associating Parsers to a Device
    Searching for Devices
    Applications
    Viewing Application Information
    Editing Applications
    Working with Application Groups
    Users
    Adding Users
    Editing Users
    Performing Operations on Users
    Working with User Groups
    Business Services
    Viewing Business Services
    Creating Business Services
    Working with Business Service Groups
    CMDB Reports
    Creating CMDB Reports
    Scheduling a CMDB Report
    Running a CMDB Report
    Adding CMDB Report to Dashboard
    Managing Resources
    Reports
    Viewing System Reports
    Running System Reports
    Creating New Reports
    Working With Report Templates
    Scheduling Reports
    Importing and Exporting Reports
    Importing and Exporting Report Definitions
    Rules
    Viewing Rules
    Creating Rules
    Activating and Deactivating a Rule
    Testing a Rule
    Exporting and Importing a Rule Definitions
    Networks
    Adding a Network
    Modifying a Network
    Deleting a Network
    Watch Lists
    System-defined Watch list
    Creating a Watch List
    Modifying a Watch List
    Using a Watch List
    Exporting and Importing Watch Lists
    Protocols
    Adding a Protocol
    Modifying a Protocol
    Deleting a Protocol
    Event Types
    Adding an Event Type
    Modifying an Event Type
    Deleting an Event Type
    Working with AlienVault OTX
    Working with Dragos IOCs
    Working with FortiGuard IOCs
    Working with Malware Patrol
    Working with ThreatConnect
    Malware Domains
    Adding a Malware Domain
    Modifying a Malware Domain
    Deleting a Malware Domain
    Importing Malware Domains
    Viewing Malware Domains
    Working with Custom Threat Feeds that use HTTPS Connectivity
    Malware IPs
    Adding a Malware IP
    Modifying a Malware IP
    Deleting a Malware IP
    Importing Malware IPs
    Viewing Malware IPs
    Malware URLs
    Adding a Malware URL
    Modifying a Malware URL
    Deleting a Malware URL
    Importing Malware URLs
    Viewing Malware URLs
    Malware Processes
    Creating a Malware Process Group
    Adding a Malware Process
    Modifying a Malware Process
    Deleting a Malware Process
    Importing Malware Processes
    Viewing Malware Processes
    Country Groups
    Creating a Country Group
    Adding a Country Group
    Modifying a Country Group
    Deleting a Country Group
    Changing the Home Country
    Malware Hash
    Adding a Malware Hash
    Modifying a Malware Hash
    Importing/Updating User-defined Malware Hash
    Viewing Malware Hash
    Default Password
    Adding a Default Password
    Modifying a Default Password
    Importing and Exporting a Default Password
    Anonymity Network
    Adding Anonymity Networks
    Modifying Anonymity Networks
    Updating Anonymity Networks
    User Agents
    Adding User Agents
    Modifying User Agents
    Importing and Exporting User Agents
    Remediations
    Adding Remediations
    Modifying Remediations
    Deleting Remediations
    Lookup Tables
    Adding a Lookup Table
    Deleting a Lookup Table
    Working with Lookup Table Data
    Playbooks
    Viewing Playbooks
    Updating Playbooks
    Connectors
    Viewing Connectors
    Updating Connectors
    Machine Learning Jobs
    Viewing Machine Learning Jobs
    Editing a Machine Learning Job
    Deleting a Machine Learning Job
    Osquery
    Viewing osquery Templates
    Creating osquery Templates
    Working with Cases
    Creating a Ticket
    Editing a Ticket
    Managing Cases
    Working with Incidents
    Overview View
    List View
    Risk View
    Explorer View
    MITRE ATT&CK View
    UEBA View
    Investigating Incidents
    Automated Incident Resolution Recommendation
    Lookups Via External Websites
    CVE-Based IPS False Positive Analysis
    Remediating an Incident using a Script
    Executing a Playbook on an Incident
    Running a Connector on an Incident
    Troubleshooting Incident Trigger
    Working with Analytics Search
    Running a Built-in Search
    Understanding Search Components
    New Query Functions
    Viewing Historical Search Results
    Viewing Real-time Search Result
    Using Nested Queries
    Searches Using Pre-computed Results
    Saving Search Results
    Viewing Saved Search Results, Loading Reports and Shortcuts
    Exporting Search Results
    Emailing Search Results
    Creating a Rule from Search
    Copying Filter and Time Range Tab Information
    Executing a Playbook
    Running a Connector
    Machine Learning
    Overview
    Anomaly Detection
    Classification
    Clustering
    Forecasting
    Regression
    Working with Dashboards
    General Operations
    Widget Dashboard
    Summary Dashboard
    Business Service Dashboard
    Identity and Location Dashboard
    Interface Usage Dashboard
    PCI Logging Status Dashboard
    Managing Tasks
    Fortinet Advisor
    FortiSIEM Manager
    FortiSIEM Manager Incidents
    FortiSIEM Manager Incidents Overview View
    FortiSIEM Manager Incidents - List View
    FortiSIEM Manager CMDB Users
    FortiSIEM Manager CMDB Adding Users
    FortiSIEM Manager - Editing User Information
    FortiSIEM Manager Resources
    FortiSIEM Manager Resources Rules
    FortiSIEM Manager Resources Connectors
    FortiSIEM Manager Resources Playbooks
    FortiSIEM Manager Resources - Event Types
    FortiSIEM Manager Admin
    FortiSIEM Manager Setup
    FortiSIEM Manager Health
    FortiSIEM Manager Cloud Health
    FortiSIEM Manager Collector Health
    FortiSIEM Manager License
    FortiSIEM Manager Content Update
    Appendix
    Administrative Tools and Information
    Adding Network Interfaces
    Backing Up and Restoring Databases
    Creating and Restoring ESX Snapshots
    Exporting Events to Files
    Import Tools
    Increasing Collector Event Buffer Size
    Listing Event Attributes seen by Elasticsearch
    Managing Events in EventDB
    Managing FortiSIEM Operations
    ClickHouse Usage Notes
    ClickHouse Index Design
    ClickHouse Operational Overview
    ClickHouse Query Optimization Guidelines
    Handling ClickHouse Node IP Change
    ClickHouse Backup and Restore Steps
    Deleting Organization Data
    Rebalancing Shards
    Advanced Operations
    Migrating ClickHouse Events from FortiSIEM 6.5.0 to 6.6.0 or Later
    Post-7.1.1-upgrade ClickHouse IP Index Rebuilding
    Reference
    Configuration Notes
    Automated CMDB Disk Space Management
    Component Communication and Network Port Usage
    Configuring FortiSIEM Application Server for Proxy Connectivity
    Editing phoenix_config.txt File
    FortiSIEM Deployment Scenarios
    FortiSIEM OS Updates and Internet Connectivity
    Tuning PostgreSQL Configuration Parameters
    Elasticsearch Usage Notes
    Configuring Elasticsearch Buffer
    Configuring Elasticsearch Timeout
    Dynamic Scripting Limits
    Elasticsearch Feature Compatibility
    Merging Small Elasticsearch Indices into a Big Index
    Differences in Analytics Semantics between EventDB and Elasticsearch
    Elasticsearch Known Issues
    Examples of Custom Performance Monitors
    Custom JDBC Performance Monitor for a Custom Table
    Custom SNMP Monitor for D-Link Interface Network Statistics
    Custom JMX Monitor for IBM Websphere
    Custom SNMP Monitor for D-Link HostName and SysUpTime
    Custom WMI Monitor for Windows Domain and Physical Registry
    FortiEMS Endpoint Tagging
    GUI Notes
    Flash to HTML5 GUI Mapping
    FortiSIEM Charts and Maps
    FortiSOAR Integration Notes
    Configuring FortiSOAR for FortiSIEM Integration
    Writing FortiSIEM Compatible FortiSOAR Playbooks
    Functions in Analytics
    Aggregate Functions
    CMDB Lookup Function
    Conversion Functions
    Date Conversion Functions
    Evaluate and Set Function
    Extraction Function
    Lookup Table Functions
    String Manipulation Functions
    Time Window Functions
    Knowledge Base
    FortiSIEM Event Attribute to CEF Key Mapping
    Event Categories and Handling
    Public Domain Built-in Rules
    License Enforcement
    Parser Specification
    General Parsing Patterns
    Event Format Recognizer Specification
    Parsing Instructions
    Setting Event Attributes
    When Construct
    Choose Construct
    Switch Construct
    Built-in Patterns
    Built-in Functions
    Collect and Set Functions
    Compute Functions
    Conversions Functions
    Extraction Functions
    String Functions
    Python Threat Feed Framework
    UEBA Information
    Comparing UEBA Sources
    UEBA based on Log
    UEBA Sample Logs
    Previous
    Next